Interestingly mixed reactions to the CJEU’s SRB ruling. Some: “nothing new!”. Others: “finally, relative nature of personal data confirmed!”. Why?
The Court stated in unambiguous terms (paras. 77 + 86) that pseudonymised data can be non-personal data for a recipient if the technical and organisational measures of the pseudonymisation are effective and prevent access by the recipient to the “identifying” information (i.e. additional information enabling identification).
This was the first time the CJEU said so explicitly that the recipient’s perspective matters.
*This is new*. Yes, it builds upon Breyer and it draws from OLAF (OC v Commission). Yes, it is what I have been telling many for years is the logical consequence of Breyer and Recital 26 of the GDPR (and Recital 26 of the data protection Directive before that). But if the European Data Protection Supervisor *and* the European Data Protection Board argued against this (basically, all supervisory authorities), then surely this was necessary and new.
And what about para. 84? In my view, it doesn’t add to Scania. But it shows the limits to pseudonymisation’s effect: if a recipient of pseudonymised data shares it with someone else who *is* capable of reidentifying it, that can cause the GDPR to apply again. (This is what I have long called *potentially personal data*, data that the holder believes *could* become personal data but that requires someone else’s intervention to become so. It’s not yet subject to the GDPR, but you can then take measures to anticipate it a little.
On the transparency & information part, I do believe the CJEU’s position is linked to the legal ground being consent – and due to an assumption that Deloitte actually was a controller (the allegations that it was a processor were declared inadmissible because they were raised too late in the proceedings).
Many questions arose from the reactions to the ruling. For instance:
– If the recipient is a processor, to which extent does this hold true?
– What are the consequences of this plus Scania for someone who shares data that he/she believes not to be personal data?
– Can we find a practical solution for (or way out of?) recipient naming if the legal ground isn’t consent and all they receive is pseudonymised data? (As sharing the name of someone who has no clue who they are doesn’t really help data subjects defend their rights)
I’ll be posting a fuller analysis of the implications (including these questions and suggested answers) and on how I think this relative approach can be made to work usefully, bringing all of this case law together.
EDIT: here it is: https://lnkd.in/efjH6NNr
Meanwhile, catch up on our live discussion of yesterday:
– Slides: https://lnkd.in/eARrY_6b
– Replay: https://lnkd.in/emNaM3pQ
EDIT:
Podcast on SRB and its implications: https://lnkd.in/e4-yMExt
privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗